generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Make an explicit check during certificate validation to see that the

Browse Source 
CA setting in each certificate on the chain is correct.  As a side-
effect always do the following basic checks on extensions, not just
when there's an associated purpose to the check:
- if there is an unhandled critical extension (unless the user has
  chosen to ignore this fault)
- if the path length has been exceeded (if one is set at all)
- that certain extensions fit the associated purpose (if one has been
  given)
This commit is contained in:
Richard Levitte
2004-11-29 11:18:00 +00:00
parent 6826d26ea7
commit cd52956357
6 changed files with 92 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
apps/verify.c
View File

@@ -354,6 +354,7 @@ static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx)
if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;
/* Continue after extension errors too */
if (ctx->error == X509_V_ERR_INVALID_CA) ok=1;
if (ctx->error == X509_V_ERR_INVALID_NON_CA) ok=1;
if (ctx->error == X509_V_ERR_PATH_LENGTH_EXCEEDED) ok=1;
if (ctx->error == X509_V_ERR_INVALID_PURPOSE) ok=1;
if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1;